Hi,
I currently have one rack with about 30 public addressed servers, which are
on the same IP subnet in order to make routing configuration easier,
therefore they are on the same Ethernet segment. The gateway also acts as a
firewall, which protects servers from potential external attacks.
But if only one of the servers is compromised, then attacking the other
servers will be far more simple. Indeed, the attacker can use ARP cache
poisoning and then use Man-In-The-Middle attacks.
In order to avoid this situation, the idea is to make one DMZ for each server.
We can simply use 30 differents LANs, but it's expensive and it wastes
ressources, money, ...
There is a simpler solution: use a manageable switch and set one VLAN for each
server. The firewall will act as a bridge, being completly invisible, and
filtering packets between servers.
But my problem is that the switch I use (HP ProCurve 4000M) doesn't support
to have the same MAC address on multiple VLAN, and unfortunatelly, that's
what's happening while bridging between multiple VLANs.
In my opinion, there is two solution:
* first is to run some kind of Ethernet Address Translation, like NAT does
for IP addresses, but without port multiplexing,
* or find some switch which allows to have the same MAC address on multiple
VLANs. Unfortunatelly, commercial datasheets don't talk about this kind
of details.
A third solution is to create a pseudo-VLAN, which uses ARP proxying, but I'd
like to avoid it.
So does anyone have an idea about this problem ?
And do switches supporting the same MAC address on multiple VLAN exist ?
Comments are of course welcome.
Thanks.
--
Jeremie aka T{ata,t}Z
[EMAIL PROTECTED]
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
